Search criteria
57 vulnerabilities found for ranger by apache
FKIE_CVE-2024-55532
Vulnerability from fkie_nvd - Published: 2025-03-03 16:15 - Updated: 2025-05-21 16:12
Severity ?
Summary
Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0.
Users are recommended to upgrade to version 2.6.0, which fixes this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/03/03/2 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FACFC90-3CA6-404C-A813-1A01545C1B5C",
"versionEndExcluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u003c 2.6.0.\nUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n incorrecta de elementos de f\u00f3rmula en la funci\u00f3n Exportar CSV de Apache Ranger en la versi\u00f3n de Apache Ranger anterior a la 2.6.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.6.0, que soluciona este problema."
}
],
"id": "CVE-2024-55532",
"lastModified": "2025-05-21T16:12:57.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-03-03T16:15:38.777",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/03/03/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-45478
Vulnerability from fkie_nvd - Published: 2025-01-21 22:15 - Updated: 2025-06-10 09:15
Severity ?
Summary
Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/01/21/3 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94B04266-A8E8-478F-9340-1B9D6BCD84FA",
"versionEndExcluding": "2.5.0",
"versionStartIncluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS almacenado en la p\u00e1gina de edici\u00f3n de servicios de la interfaz de usuario de Apache Ranger en la versi\u00f3n 2.4.0 de Apache Ranger. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.5.0 de Apache Ranger, que soluciona este problema."
}
],
"id": "CVE-2024-45478",
"lastModified": "2025-06-10T09:15:22.687",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-21T22:15:12.137",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-45479
Vulnerability from fkie_nvd - Published: 2025-01-21 22:15 - Updated: 2025-06-10 09:15
Severity ?
Summary
SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/01/21/4 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94B04266-A8E8-478F-9340-1B9D6BCD84FA",
"versionEndExcluding": "2.5.0",
"versionStartIncluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
},
{
"lang": "es",
"value": "Vulnerabilidad SSRF en la p\u00e1gina Editar servicio de la interfaz de usuario de Apache Ranger en la versi\u00f3n 2.4.0 de Apache Ranger. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.5.0 de Apache Ranger, que soluciona este problema."
}
],
"id": "CVE-2024-45479",
"lastModified": "2025-06-10T09:15:23.043",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-21T22:15:12.290",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/4"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-45048
Vulnerability from fkie_nvd - Published: 2023-05-05 08:15 - Updated: 2024-11-21 07:28
Severity ?
8.4 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Summary
Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B75BB8F4-2B1E-4CD8-87B4-D07BA2239491",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u00a0This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\n\n\n"
}
],
"id": "CVE-2022-45048",
"lastModified": "2024-11-21T07:28:40.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 6.0,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 6.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-05T08:15:09.080",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-40331
Vulnerability from fkie_nvd - Published: 2023-05-05 08:15 - Updated: 2024-11-21 06:23
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled
This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:hive:*:*",
"matchCriteriaId": "A08606DA-FA38-4BC1-96D0-18BCCD0FDC96",
"versionEndIncluding": "2.3.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\nThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\n\n\n"
}
],
"id": "CVE-2021-40331",
"lastModified": "2024-11-21T06:23:52.733",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-05T08:15:08.683",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2019-12397
Vulnerability from fkie_nvd - Published: 2019-08-08 18:15 - Updated: 2024-11-21 04:22
Severity ?
Summary
Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "112D6BA8-1CF6-4722-9E5A-7309840B1BD0",
"versionEndIncluding": "1.2.0",
"versionStartIncluding": "0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
},
{
"lang": "es",
"value": "La funcionalidad de importaci\u00f3n de pol\u00edticas en Apache Ranger de la versi\u00f3n 0.7.0 a 1.2.0 es vulnerable a un problema de secuencias de comandos entre sitios. Actualice a 2.0.0 o una versi\u00f3n posterior de Apache Ranger con el fix."
}
],
"id": "CVE-2019-12397",
"lastModified": "2024-11-21T04:22:45.230",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-08T18:15:10.663",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-11778
Vulnerability from fkie_nvd - Published: 2018-10-05 19:29 - Updated: 2024-11-21 03:44
Severity ?
Summary
UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AECA2225-2E7C-4480-823F-EFD13F6AB83B",
"versionEndExcluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
},
{
"lang": "es",
"value": "UnixAuthenticationService en Apache Ranger 1.2.0 se actualiz\u00f3 para manejar correctamente las entradas de usuario para evitar un desbordamiento de b\u00fafer basado en pila. Las versiones anteriores a la 1.2.0 deber\u00edan actualizarse a la 1.2.0."
}
],
"id": "CVE-2018-11778",
"lastModified": "2024-11-21T03:44:01.080",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-05T19:29:00.307",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/oss-sec/2018/q4/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/oss-sec/2018/q4/11"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-6815
Vulnerability from fkie_nvd - Published: 2017-10-13 14:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/94221 | Third Party Advisory, VDB Entry | |
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94221 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:0.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "28DA5B21-3588-40F7-A9A8-6EB379D7102C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:ranger:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A1FF8B11-2BF3-4845-AD13-87D960D73E5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:ranger:0.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D6909D4B-7BE3-4F29-8982-A5377D63BB17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:ranger:0.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0479F35C-191B-4C25-9133-19FD57CAC286",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:ranger:0.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "88754111-7402-4D9D-8EC5-41FE8247A671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:ranger:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "90B9E6C0-9400-416B-9E31-309A9B988B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:ranger:0.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "498B2C25-FB79-4B7C-A80B-B2EEDBE34C13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
},
{
"lang": "es",
"value": "En Apache Ranger en versiones anteriores a la 0.6.2, los usuarios con el rol \"keyadmin\" no deber\u00edan poder cambiar la contrase\u00f1a de los usuarios con el rol \"admin\"."
}
],
"id": "CVE-2016-6815",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-13T14:29:00.207",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94221"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94221"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-8746
Vulnerability from fkie_nvd - Published: 2017-06-14 17:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/95998 | Third Party Advisory, VDB Entry | |
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95998 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "071BD256-F6DC-4ACE-8EE0-6215386F99EE",
"versionEndIncluding": "0.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true."
},
{
"lang": "es",
"value": "El motor de pol\u00edticas de Apache Ranger anterior versi\u00f3n 0.6.3, empareja inapropiadamente las rutas (paths) de acceso en determinadas condiciones cuando la pol\u00edtica no contiene comodines y presenta un flag de recursividad establecido en true."
}
],
"id": "CVE-2016-8746",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-14T17:29:00.187",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95998"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95998"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-426"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-7676
Vulnerability from fkie_nvd - Published: 2017-06-14 17:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/98958 | Third Party Advisory, VDB Entry | |
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/98958 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE4E138F-A8DE-4F83-9192-9FE18D8962AA",
"versionEndIncluding": "0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after \u0027*\u0027 wildcard character - like my*test, test*.txt. This can result in unintended behavior."
},
{
"lang": "es",
"value": "El emparejador de recursos de pol\u00edticas en Apache Ranger anterior a versi\u00f3n 0.7.1, ignora los caracteres despu\u00e9s del car\u00e1cter comod\u00edn \u201c*\u201d, como my*test, test*.txt. Esto puede resultar en un comportamiento no intencionado."
}
],
"id": "CVE-2017-7676",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-14T17:29:00.250",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98958"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98958"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-8751
Vulnerability from fkie_nvd - Published: 2017-06-14 17:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/99067 | Third Party Advisory, VDB Entry | |
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99067 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAE0BEF1-9E98-47DF-9480-8012924D5D41",
"versionEndExcluding": "0.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
},
{
"lang": "es",
"value": "Apache Ranger, en versiones anteriores a la 0.6.3, es vulnerable a Cross-Site Scripting (XSS) persistente al introducir condiciones de pol\u00edticas personalizadas. Los usuarios administradores pueden almacenar c\u00f3digo JavaScript arbitrario para que sea ejecutado cuando los usuarios normales inician sesi\u00f3n y acceden a las pol\u00edticas."
}
],
"id": "CVE-2016-8751",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-14T17:29:00.217",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99067"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99067"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-7677
Vulnerability from fkie_nvd - Published: 2017-06-14 17:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.securityfocus.com/bid/98961 | Third Party Advisory, VDB Entry | |
| security@apache.org | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/98961 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE4E138F-A8DE-4F83-9192-9FE18D8962AA",
"versionEndIncluding": "0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table."
},
{
"lang": "es",
"value": "En entornos que utilizan la ubicaci\u00f3n externa para tablas hive, el Autorizador Hive en Apache Ranger anterior a versi\u00f3n 0.7.1, debe comprobar el permiso RWX para crear tabla."
}
],
"id": "CVE-2017-7677",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-14T17:29:00.280",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98961"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98961"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-55532 (GCVE-0-2024-55532)
Vulnerability from cvelistv5 – Published: 2025-03-03 16:04 – Updated: 2025-03-04 16:10
VLAI?
Title
Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
Summary
Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0.
Users are recommended to upgrade to version 2.6.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0 , ≤ 2.5.0
(semver)
|
Credits
"김도균"<a2256014@naver.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-03T18:03:23.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/03/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T16:08:29.686366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T16:10:02.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\"\uae40\ub3c4\uade0\"\u003ca2256014@naver.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u0026lt; 2.6.0.\u003cbr\u003eUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
}
],
"value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u003c 2.6.0.\nUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:17:56.227Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Ranger: Improper Neutralization of Formula Elements in a CSV File",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-55532",
"datePublished": "2025-03-03T16:04:54.856Z",
"dateReserved": "2024-12-06T14:40:07.948Z",
"dateUpdated": "2025-03-04T16:10:02.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45479 (GCVE-0-2024-45479)
Vulnerability from cvelistv5 – Published: 2025-01-21 21:26 – Updated: 2025-06-10 09:06
VLAI?
Title
Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost
Summary
SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
2.4.0 , < 2.5.0
(semver)
|
Credits
Gyujin (biz@web-us.kr)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-21T22:02:49.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:43:56.539586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T21:06:38.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.5.0",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gyujin (biz@web-us.kr)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T09:06:33.435Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45479",
"datePublished": "2025-01-21T21:26:16.500Z",
"dateReserved": "2024-08-29T14:51:06.723Z",
"dateUpdated": "2025-06-10T09:06:33.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45478 (GCVE-0-2024-45478)
Vulnerability from cvelistv5 – Published: 2025-01-21 21:25 – Updated: 2025-06-10 09:05
VLAI?
Title
Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input
Summary
Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
2.4.0 , < 2.5.0
(semver)
|
Credits
Gyujin (biz@web-us.kr)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-21T22:02:48.006Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T18:43:51.825307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T18:52:12.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.5.0",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gyujin (biz@web-us.kr)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T09:05:27.590Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45478",
"datePublished": "2025-01-21T21:25:58.276Z",
"dateReserved": "2024-08-29T14:30:58.496Z",
"dateUpdated": "2025-06-10T09:05:27.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40331 (GCVE-0-2021-40331)
Vulnerability from cvelistv5 – Published: 2023-05-05 07:55 – Updated: 2024-10-11 17:07
VLAI?
Title
Permissions problem in the Apache Ranger Hive Plugin
Summary
An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled
This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.
Severity ?
No CVSS data available.
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger Hive Plugin |
Affected:
2.0.0 , ≤ 2.3.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ranger:*:*:*:*:*:hive:*:*"
],
"defaultStatus": "unknown",
"product": "ranger",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "2.3.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-40331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:06:08.372365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:07:19.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger Hive Plugin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.3.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\u003cbr\u003e\u003cp\u003eThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\nThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-05T07:55:06.554Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
}
],
"source": {
"defect": [
"RANGER-3474",
"RANGER-3357"
],
"discovery": "UNKNOWN"
},
"title": "Permissions problem in the Apache Ranger Hive Plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40331",
"datePublished": "2023-05-05T07:55:06.554Z",
"dateReserved": "2021-08-31T09:23:23.832Z",
"dateUpdated": "2024-10-11T17:07:19.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45048 (GCVE-0-2022-45048)
Vulnerability from cvelistv5 – Published: 2023-05-05 07:50 – Updated: 2024-10-15 18:12
VLAI?
Title
Apache Ranger: code execution vulnerability in policy expressions
Summary
Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
Severity ?
8.4 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
2.3.0
|
Credits
g1831767442@163.com
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ranger:2.3.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ranger",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T18:11:38.936548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:12:43.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "g1831767442@163.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u0026nbsp;This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u00a0This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-05T07:50:25.762Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Ranger: code execution vulnerability in policy expressions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45048",
"datePublished": "2023-05-05T07:50:25.762Z",
"dateReserved": "2022-11-08T10:32:53.853Z",
"dateUpdated": "2024-10-15T18:12:43.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12397 (GCVE-0-2019-12397)
Vulnerability from cvelistv5 – Published: 2019-08-08 17:06 – Updated: 2024-08-04 23:17
VLAI?
Summary
Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0.7.0 to 1.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:40.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.7.0 to 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-21T15:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-12397",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "0.7.0 to 1.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-12397",
"datePublished": "2019-08-08T17:06:43",
"dateReserved": "2019-05-28T00:00:00",
"dateUpdated": "2024-08-04T23:17:40.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11778 (GCVE-0-2018-11778)
Vulnerability from cvelistv5 – Published: 2018-10-05 19:00 – Updated: 2024-09-17 03:18
VLAI?
Summary
UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0
Severity ?
No CVSS data available.
CWE
- Overflow
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
prior to 1.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2018/q4/11"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "prior to 1.2.0"
}
]
}
],
"datePublic": "2018-10-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-21T15:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://seclists.org/oss-sec/2018/q4/11"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-10-04T00:00:00",
"ID": "CVE-2018-11778",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "prior to 1.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
"refsource": "MLIST",
"url": "https://seclists.org/oss-sec/2018/q4/11"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11778",
"datePublished": "2018-10-05T19:00:00Z",
"dateReserved": "2018-06-05T00:00:00",
"dateUpdated": "2024-09-17T03:18:51.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6815 (GCVE-0-2016-6815)
Vulnerability from cvelistv5 – Published: 2017-10-13 14:00 – Updated: 2024-09-17 04:14
VLAI?
Summary
In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
Severity ?
No CVSS data available.
CWE
- Incorrect Privileges
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0.5.x
Affected: 0.6.0 Affected: 0.6.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94221",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94221"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.5.x"
},
{
"status": "affected",
"version": "0.6.0"
},
{
"status": "affected",
"version": "0.6.1"
}
]
}
],
"datePublic": "2016-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Privileges",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "94221",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94221"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2016-11-06T00:00:00",
"ID": "CVE-2016-6815",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "0.5.x"
},
{
"version_value": "0.6.0"
},
{
"version_value": "0.6.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94221",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94221"
},
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-6815",
"datePublished": "2017-10-13T14:00:00Z",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-09-17T04:14:03.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8751 (GCVE-0-2016-8751)
Vulnerability from cvelistv5 – Published: 2017-06-14 17:00 – Updated: 2024-08-06 02:35
VLAI?
Summary
Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
Severity ?
No CVSS data available.
CWE
- CSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0.5.x
Affected: 0.6.0 - 0.6.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:35:00.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99067",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99067"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.5.x"
},
{
"status": "affected",
"version": "0.6.0 - 0.6.2"
}
]
}
],
"datePublic": "2017-02-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99067",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99067"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2016-8751",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "0.5.x"
},
{
"version_value": "0.6.0 - 0.6.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99067",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99067"
},
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8751",
"datePublished": "2017-06-14T17:00:00",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-08-06T02:35:00.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55532 (GCVE-0-2024-55532)
Vulnerability from nvd – Published: 2025-03-03 16:04 – Updated: 2025-03-04 16:10
VLAI?
Title
Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
Summary
Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0.
Users are recommended to upgrade to version 2.6.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0 , ≤ 2.5.0
(semver)
|
Credits
"김도균"<a2256014@naver.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-03T18:03:23.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/03/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T16:08:29.686366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T16:10:02.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\"\uae40\ub3c4\uade0\"\u003ca2256014@naver.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u0026lt; 2.6.0.\u003cbr\u003eUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
}
],
"value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u003c 2.6.0.\nUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:17:56.227Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Ranger: Improper Neutralization of Formula Elements in a CSV File",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-55532",
"datePublished": "2025-03-03T16:04:54.856Z",
"dateReserved": "2024-12-06T14:40:07.948Z",
"dateUpdated": "2025-03-04T16:10:02.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45479 (GCVE-0-2024-45479)
Vulnerability from nvd – Published: 2025-01-21 21:26 – Updated: 2025-06-10 09:06
VLAI?
Title
Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost
Summary
SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
2.4.0 , < 2.5.0
(semver)
|
Credits
Gyujin (biz@web-us.kr)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-21T22:02:49.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:43:56.539586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T21:06:38.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.5.0",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gyujin (biz@web-us.kr)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T09:06:33.435Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45479",
"datePublished": "2025-01-21T21:26:16.500Z",
"dateReserved": "2024-08-29T14:51:06.723Z",
"dateUpdated": "2025-06-10T09:06:33.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45478 (GCVE-0-2024-45478)
Vulnerability from nvd – Published: 2025-01-21 21:25 – Updated: 2025-06-10 09:05
VLAI?
Title
Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input
Summary
Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
2.4.0 , < 2.5.0
(semver)
|
Credits
Gyujin (biz@web-us.kr)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-21T22:02:48.006Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T18:43:51.825307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T18:52:12.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.5.0",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gyujin (biz@web-us.kr)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T09:05:27.590Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45478",
"datePublished": "2025-01-21T21:25:58.276Z",
"dateReserved": "2024-08-29T14:30:58.496Z",
"dateUpdated": "2025-06-10T09:05:27.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40331 (GCVE-0-2021-40331)
Vulnerability from nvd – Published: 2023-05-05 07:55 – Updated: 2024-10-11 17:07
VLAI?
Title
Permissions problem in the Apache Ranger Hive Plugin
Summary
An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled
This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.
Severity ?
No CVSS data available.
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger Hive Plugin |
Affected:
2.0.0 , ≤ 2.3.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ranger:*:*:*:*:*:hive:*:*"
],
"defaultStatus": "unknown",
"product": "ranger",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "2.3.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-40331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:06:08.372365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:07:19.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger Hive Plugin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.3.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\u003cbr\u003e\u003cp\u003eThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\nThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-05T07:55:06.554Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
}
],
"source": {
"defect": [
"RANGER-3474",
"RANGER-3357"
],
"discovery": "UNKNOWN"
},
"title": "Permissions problem in the Apache Ranger Hive Plugin",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40331",
"datePublished": "2023-05-05T07:55:06.554Z",
"dateReserved": "2021-08-31T09:23:23.832Z",
"dateUpdated": "2024-10-11T17:07:19.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45048 (GCVE-0-2022-45048)
Vulnerability from nvd – Published: 2023-05-05 07:50 – Updated: 2024-10-15 18:12
VLAI?
Title
Apache Ranger: code execution vulnerability in policy expressions
Summary
Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
Severity ?
8.4 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
2.3.0
|
Credits
g1831767442@163.com
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ranger:2.3.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ranger",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T18:11:38.936548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:12:43.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "g1831767442@163.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u0026nbsp;This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u00a0This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-05T07:50:25.762Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Ranger: code execution vulnerability in policy expressions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45048",
"datePublished": "2023-05-05T07:50:25.762Z",
"dateReserved": "2022-11-08T10:32:53.853Z",
"dateUpdated": "2024-10-15T18:12:43.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12397 (GCVE-0-2019-12397)
Vulnerability from nvd – Published: 2019-08-08 17:06 – Updated: 2024-08-04 23:17
VLAI?
Summary
Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0.7.0 to 1.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:40.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.7.0 to 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-21T15:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-12397",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "0.7.0 to 1.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
},
{
"name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-12397",
"datePublished": "2019-08-08T17:06:43",
"dateReserved": "2019-05-28T00:00:00",
"dateUpdated": "2024-08-04T23:17:40.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11778 (GCVE-0-2018-11778)
Vulnerability from nvd – Published: 2018-10-05 19:00 – Updated: 2024-09-17 03:18
VLAI?
Summary
UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0
Severity ?
No CVSS data available.
CWE
- Overflow
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
prior to 1.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2018/q4/11"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "prior to 1.2.0"
}
]
}
],
"datePublic": "2018-10-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-21T15:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://seclists.org/oss-sec/2018/q4/11"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-10-04T00:00:00",
"ID": "CVE-2018-11778",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "prior to 1.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
},
{
"name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
"refsource": "MLIST",
"url": "https://seclists.org/oss-sec/2018/q4/11"
},
{
"name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11778",
"datePublished": "2018-10-05T19:00:00Z",
"dateReserved": "2018-06-05T00:00:00",
"dateUpdated": "2024-09-17T03:18:51.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6815 (GCVE-0-2016-6815)
Vulnerability from nvd – Published: 2017-10-13 14:00 – Updated: 2024-09-17 04:14
VLAI?
Summary
In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
Severity ?
No CVSS data available.
CWE
- Incorrect Privileges
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0.5.x
Affected: 0.6.0 Affected: 0.6.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94221",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94221"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.5.x"
},
{
"status": "affected",
"version": "0.6.0"
},
{
"status": "affected",
"version": "0.6.1"
}
]
}
],
"datePublic": "2016-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Privileges",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-14T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "94221",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94221"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2016-11-06T00:00:00",
"ID": "CVE-2016-6815",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "0.5.x"
},
{
"version_value": "0.6.0"
},
{
"version_value": "0.6.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94221",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94221"
},
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-6815",
"datePublished": "2017-10-13T14:00:00Z",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-09-17T04:14:03.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8751 (GCVE-0-2016-8751)
Vulnerability from nvd – Published: 2017-06-14 17:00 – Updated: 2024-08-06 02:35
VLAI?
Summary
Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
Severity ?
No CVSS data available.
CWE
- CSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Ranger |
Affected:
0.5.x
Affected: 0.6.0 - 0.6.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:35:00.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99067",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99067"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ranger",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.5.x"
},
{
"status": "affected",
"version": "0.6.0 - 0.6.2"
}
]
}
],
"datePublic": "2017-02-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99067",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99067"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2016-8751",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ranger",
"version": {
"version_data": [
{
"version_value": "0.5.x"
},
{
"version_value": "0.6.0 - 0.6.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99067",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99067"
},
{
"name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
"refsource": "CONFIRM",
"url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8751",
"datePublished": "2017-06-14T17:00:00",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-08-06T02:35:00.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}